Researchers Identify Serious Capability Leaks in Many Android Phones

Many of the apps that come pre-installed on a variety of Android devices from manufacturers such as HTC, Samsung, Google and others have access to more services and capabilities on the devices than they should or that users are aware they have, according to new research. These “capability leaks” can sometimes be inherited from other apps, but the researchers say that they constitute significant security weaknesses on the Android devices.

Android securityMany of the apps that come pre-installed on a variety of Android devices from manufacturers such as HTC, Samsung, Google and others have access to more services and capabilities on the devices than they should or that users are aware they have, according to new research. These “capability leaks” can sometimes be inherited from other apps, but the researchers say that they constitute significant security weaknesses on the Android devices.

The new research was done by a group from North Carolina State University, and the results they came up with are not particularly pretty. They wrote a tool called Woodpecker that analyzes each app on the phone to see whether it can reach certain dangerous permissions on the phone from a public interface. They found that, among the 13 specific permissions they analyzed, 11 of them were leaked to various apps on the handsets.

The researchers, Michael Grace, Yajin Zhou, Zhi Wang, Xuxian Jiang, looked at several Android handsets, including the HTC Legend, EVO 4G and Wildfire S; the Motorola Droid and Droid X; Samsung Epic 4G; and Google Nexus One and Nexus S. They broke the capability leaks down into two categories: implicit and explicit. Explicit capability leaks allow an app to access permissions from a public interface without notifying the user. And implicit leaks allow an app to inherit permissions from another app signed with the same key.

The N.C. State researchers looked at 13 specific permissions on Android phones, including the ability to access location information, make a phone call, access the camera, install packages, deleter packages and send SMS messages. Every one of the devices they studied had at least one capability leak, whether explicit or implicit. The device with the most capability leaks was the HTC EVO 4G, which had eight explicit leaks and two implicit leaks.

The devices that performed the best in the analysis with the Woodpecker tool are the two Google handsets that the N.C. State researchers tested. Both the Nexus One and Nexus S came up with just one explicit capability leak each, which is related to an app that can be tricked into deleting other packages. The researchers said that a couple of the manufacturers have confirmed the leaks, while others have been unresponsive.

“After identifying these capability leaks, we spent a considerable amount of time on reporting them to the corresponding vendors. As of this writing, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung have been really slow in responding to, if not ignoring, our reports/inquiries. Though the uncovered capabilities leaks on the HTC and Samsung phones have not been confirmed by their respective vendors, we have developed a test app to exercise and confirm all the discovered (explicit) capability leaks on the affected phones,” the researchers say in their paper, “Systematic Detection of Capability Leaks in Stock Android Smartphones”.

“We believe these results demonstrate that capability leaks constitute a tangible security weakness for many Android smartphones in the market today. Particularly, smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks.”

The N.C. State researchers say that the results of their study do not bode well for user privacy and security.

“The results are worrisome: among the 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission,” they wrote.

Suggested articles